Duende Software
FAPI question from livestream #311
-
|
Just a follow up question from the livestream regarding FAPI implementation. Does implementing the FAPI spec in our code only apply to local login or does this also work with external providers such as Microsoft or Google? Also, the livestream was great and look forward to seeing any others you all put on. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Thanks so much for tuning in! I had a great time and we do plan to do more of these in the future - stay tuned... If your aim is to get your IdentityServer implementation certified as conformant to the FAPI profile, the login process at the Authorization Server isn't part of the conformance test suite. The emphasis for conformance is on how requests are made between your client applications, IdentityServer, and APIs. If part of the login process at your IdentityServer involves federating to an external provider, that interaction isn't part of the the conformance tests, and you'd be able to get certified without the external provider necessarily supporting all the features required by FAPI. That said, when you federate with external providers, if you have high value data that you're protecting and want the level of security that FAPI provides, it would be a good idea to require or at least encourage those providers to follow the recommendations of FAPI. A good example of that in action is HelseID, which is the login system for healthcare across Norway. All the health care providers in Norway federate with HelseID, which is a central authority implemented with IdentityServer. In order to be included in that federation, HelseID now requires that providers can pass the conformance tests. This saves them a lot of effort when they're deciding if a provider can be included because the conformance tests are automated and set a strong baseline for security. You can find a list of certified FAPI providers at the OIDF's website here. As of this writing, neither Microsoft nor Google has gone through the conformance process to get certified, though many other major providers have. Ultimately of course the decision to trust a provider is yours. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for all the information, I really appreciate it. |
Beta Was this translation helpful? Give feedback.
Thanks so much for tuning in! I had a great time and we do plan to do more of these in the future - stay tuned...
If your aim is to get your IdentityServer implementation certified as conformant to the FAPI profile, the login process at the Authorization Server isn't part of the conformance test suite. The emphasis for conformance is on how requests are made between your client applications, IdentityServer, and APIs. If part of the login process at your IdentityServer involves federating to an external provider, that interaction isn't part of the the conformance tests, and you'd be able to get certified without the external provider necessarily supporting all the features required by FAPI.
…